Malware Analysis Report

2025-08-06 03:43

Sample ID 230430-m1swjahd99
Target Memory.vbs
SHA256 ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad9a2790803eb17a4e3977c514c4ca98e520cb38f00f8103ee5f2cc1ed209b47

Threat Level: Known bad

The file Memory.vbs was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Blocklisted process makes network request

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Modifies registry class

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-30 10:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-30 10:56

Reported

2023-04-30 10:59

Platform

win7-20230220-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\System32\WScript.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\System32\WScript.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 1584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1588 wrote to memory of 1584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1588 wrote to memory of 1584 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1584 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1584 wrote to memory of 1644 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1828 wrote to memory of 1056 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1124 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1124 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1124 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1056 wrote to memory of 1800 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\Admin\Desktop\SubmitUpdate.ps1"

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\SubmitUpdate.ps1"

C:\Windows\System32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResumeWait.css

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.0.355683166\1439975545" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1184 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5bd52bb5-877f-4dbc-ad78-3efb17012623} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1280 13a1a558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.1.1983110839\2001939041" -parentBuildID 20221007134813 -prefsHandle 1464 -prefMapHandle 1460 -prefsLen 20971 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6844763e-1e12-4d28-8e63-84124af3e7ac} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1476 e6f558 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.2.1475014733\127366613" -childID 1 -isForBrowser -prefsHandle 2000 -prefMapHandle 2016 -prefsLen 21054 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b67035fa-a9f7-4cc8-893b-39a5ce12219e} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 1808 19fbae58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.3.1287878395\355019885" -childID 2 -isForBrowser -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4cd0de9d-6fea-42ba-8e6e-6361e934310f} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 2432 4138f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.4.1165467229\1441273700" -childID 3 -isForBrowser -prefsHandle 2772 -prefMapHandle 2768 -prefsLen 26564 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cbba45-d7c9-44b7-a961-8d7099897e90} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 2784 1bcf1758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.5.672143395\642375073" -childID 4 -isForBrowser -prefsHandle 3616 -prefMapHandle 2916 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {533ace37-d913-4f66-ac72-26f99e11762e} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3628 1cbbbe58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.6.910910768\1580800364" -childID 5 -isForBrowser -prefsHandle 1052 -prefMapHandle 3500 -prefsLen 26623 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b7a40a9-1a1d-4df9-81dc-22e86304b869} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3616 10cf0f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1056.7.981082481\1417938795" -childID 6 -isForBrowser -prefsHandle 3908 -prefMapHandle 3912 -prefsLen 26704 -prefMapSize 232675 -jsInitHandle 812 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {019d1575-50cd-4c65-8b6e-a9a9ef6c37df} 1056 "\\.\pipe\gecko-crash-server-pipe.1056" 3500 1e041a58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.0.377399218\593084186" -parentBuildID 20221007134813 -prefsHandle 1064 -prefMapHandle 1056 -prefsLen 17556 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0014f58b-9fe1-49b6-86da-85e1527bba3e} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 1128 f6f0358 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.1.208494050\88516281" -parentBuildID 20221007134813 -prefsHandle 1272 -prefMapHandle 1268 -prefsLen 17601 -prefMapSize 230321 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c22fe55-96e3-4915-b4ac-eae3030b9c58} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 1296 105a0b58 socket

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x518

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\Old Firefox Data\g9aaxljs.default-release\cert9.db

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.2.1231732284\180934228" -childID 1 -isForBrowser -prefsHandle 2324 -prefMapHandle 2320 -prefsLen 21493 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61a754c9-f1ce-41ed-95f1-e36dd07f0238} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 2336 1a156c58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.3.2104324689\1936221637" -childID 2 -isForBrowser -prefsHandle 2512 -prefMapHandle 2516 -prefsLen 21600 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b9f9d1a-3d25-428a-8270-a8b9d1e4b267} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 2500 1ad38558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.4.825854934\262093466" -childID 3 -isForBrowser -prefsHandle 2744 -prefMapHandle 2748 -prefsLen 22682 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {370dabd4-fb5c-4677-ac0e-643bb06132a2} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 2732 1b5dfb58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.5.443566454\278560463" -childID 4 -isForBrowser -prefsHandle 3048 -prefMapHandle 2580 -prefsLen 29253 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {16332c54-7d89-4ce2-a052-40f20368883e} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 3260 1c447b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.6.1040841536\438826198" -childID 5 -isForBrowser -prefsHandle 2576 -prefMapHandle 3272 -prefsLen 29253 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5261da38-0481-4e53-b6c1-fdf48807ca56} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 3236 1059e758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2884.7.1994786650\398112011" -childID 6 -isForBrowser -prefsHandle 3508 -prefMapHandle 3144 -prefsLen 29426 -prefMapSize 230321 -jsInitHandle 820 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9eadae-bc71-4bdf-99f4-1ee6b9d70570} 2884 "\\.\pipe\gecko-crash-server-pipe.2884" 3236 119b0f58 tab

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.pl udp
PL 185.157.81.233:443 pastebin.pl tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
N/A 127.0.0.1:49310 tcp
N/A 127.0.0.1:49319 tcp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 54.149.234.21:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.65.55:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 34.160.144.191:443 content-signature-2.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 35.241.9.150:443 firefox.settings.services.mozilla.com tcp
N/A 127.0.0.1:49642 tcp
N/A 127.0.0.1:49647 tcp
US 8.8.8.8:53 location.services.mozilla.com udp
US 52.41.179.165:443 location.services.mozilla.com tcp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 locprod2-elb-us-west-2.prod.mozaws.net udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.sumo.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp

Files

memory/1584-71-0x000000001B250000-0x000000001B532000-memory.dmp

memory/1584-72-0x00000000022E0000-0x00000000022E8000-memory.dmp

memory/1584-73-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/1584-74-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/1584-75-0x00000000029F0000-0x0000000002A70000-memory.dmp

memory/1584-76-0x00000000029FB000-0x0000000002A32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7449.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar7855.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f429f80f6903d82eb1f6194e6f4c1a7d
SHA1 bcaaaa07e8fc46d1be8b46a4d8ca23466f013d81
SHA256 16521a622cb808af84e0cc61c4505bfa11c98060432ade4150f8159221584962
SHA512 b2b03922bbce74aa1e11722b550db6dbc9cd6a55a3d15132740eece13b55c543929c2dc76992ea283012319404946ffa4302078a3f6f21d6d51cb1638c9b528d

C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd

MD5 0c4f14db483f17cc1842aa6d7762fe00
SHA1 582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256 c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512 d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950

C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd

MD5 0c4f14db483f17cc1842aa6d7762fe00
SHA1 582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256 c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512 d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 39f9ba615eaca3db8b3d96ef4fa12e91
SHA1 5773d78b0f4c3161965169d0fd6f4ab428da15dd
SHA256 631c4ae8cea0269a16be04d977973a6650060ca403dff3e26d9144cd9c27936d
SHA512 57d1b9ce1ceb7e75454c8d83ae01a2fe6d8e09603186aaa9b239a1efc6e00ba1178920a21f5fad68e970d5b8d12f9aa4f5aa5cc32e32777ef42a1c81b7f13284

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EDR4AM71O4V3H9V7TWI5.temp

MD5 39f9ba615eaca3db8b3d96ef4fa12e91
SHA1 5773d78b0f4c3161965169d0fd6f4ab428da15dd
SHA256 631c4ae8cea0269a16be04d977973a6650060ca403dff3e26d9144cd9c27936d
SHA512 57d1b9ce1ceb7e75454c8d83ae01a2fe6d8e09603186aaa9b239a1efc6e00ba1178920a21f5fad68e970d5b8d12f9aa4f5aa5cc32e32777ef42a1c81b7f13284

memory/1644-193-0x000000001B0B0000-0x000000001B392000-memory.dmp

memory/1644-194-0x00000000022A0000-0x00000000022A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1

MD5 5136fb951b17f99d700ee1816764f255
SHA1 1ffa5721e100a286752da77bd203ac9d76573eec
SHA256 4c300f1601a8baa0a9bedf7048f960425ad7e1fe899b0ebded0f5628acdd0743
SHA512 29cacc82c91c194a8ca3df15aad8983d57c4bf563b9aec5b74cca0c99c8b42b49ff8ff182c42313ad7aee8d2fe3c2a6819dbcb0bef43eaaa01af53519b986566

memory/1644-196-0x0000000002414000-0x0000000002417000-memory.dmp

memory/1644-197-0x000000000241B000-0x0000000002452000-memory.dmp

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json.tmp

MD5 d78f44afbaad99deea718fe7c42c2367
SHA1 f6c70e6bf06d38e3aaf4d41651d74cef989d363f
SHA256 afc121866da59521dc3038d962ff6f08f02f2b798e5dbd4a1124acb4839e51d1
SHA512 1e8b527945dab2789e205d6d714516fa775600968764de5bf5c5d39a27979edf84200e4a9a4ba9619b4a146548e94e7deabbfd09a2d0cc257743122502392252

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\prefs.js

MD5 580aaebcc2926902dc1a82b71a1c70e5
SHA1 844e9d6832ad15e30e1f1e02b2fc1978c3955cf4
SHA256 2f8cfc1df1a4d6d9a5a338f79e811bf5e3584e5a62fec47638de62bde69cd5bd
SHA512 6a3004e1dba88f2d5cf2adda5939379bfdc94fc77557fb28ab116da1056a2982a0d2c3d9f1ad4b9a381917cf801a6edade445f2daa7771945fd30087b90a2086

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d562fce347017aabf34e7455a0564357
SHA1 e0c551369d24ae8297ed78a0cb21e365cd275867
SHA256 ede6673cf45ef0869e682fb9db666abd3fd8590000609f2ed5cd3af6f1778c6f
SHA512 413d5eccc8578f8b00522b4e10b306f86b56f7457b61163ac410162dd6ca5970ebd451a0b731b280fcaa98af0daad0309c8be6ac5ea750f7cf459fa4c3265d5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore.jsonlz4

MD5 6702e13c604c2eb0f0b913c02164fd4a
SHA1 b2b75b353d88fc618696eaf9a5f216660f3b87be
SHA256 645973b1f03c8050eda4c452cd7231c91ad223df66e50a5d0c8b7565b425f1f0
SHA512 0e93ba7e4fcf7d15629ff3ea7581422f35da02102461f0e6285d59443b52890ec17b11e7687511734ebf8c23f98a802800f2a0ab4c2e5fe4ef93379065ce45bd

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\sessionCheckpoints.json

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionCheckpoints.json

MD5 ea8b62857dfdbd3d0be7d7e4a954ec9a
SHA1 b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a
SHA256 792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da
SHA512 076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore.jsonlz4

MD5 6702e13c604c2eb0f0b913c02164fd4a
SHA1 b2b75b353d88fc618696eaf9a5f216660f3b87be
SHA256 645973b1f03c8050eda4c452cd7231c91ad223df66e50a5d0c8b7565b425f1f0
SHA512 0e93ba7e4fcf7d15629ff3ea7581422f35da02102461f0e6285d59443b52890ec17b11e7687511734ebf8c23f98a802800f2a0ab4c2e5fe4ef93379065ce45bd

C:\Users\Admin\Desktop\Old Firefox Data\g9aaxljs.default-release\addonStartup.json.lz4

MD5 59dcce454c0c0a82b845fef9edd61e5e
SHA1 847355725e6a4973d5a13891c5a2eb8f2c87c411
SHA256 78b13cf29159018bce25348928a06f9a11a2974ba00bb920a1759331c82a1c74
SHA512 b133df155cde99ba5ba45d319e14f37cebf14a82e419883debb6991ea7e2886e05575ad6b5c5bc293dcfee2fb5eb0c00ac8fa3ef090047068a9ac2687e26e36f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\addonStartup.json.lz4

MD5 59dcce454c0c0a82b845fef9edd61e5e
SHA1 847355725e6a4973d5a13891c5a2eb8f2c87c411
SHA256 78b13cf29159018bce25348928a06f9a11a2974ba00bb920a1759331c82a1c74
SHA512 b133df155cde99ba5ba45d319e14f37cebf14a82e419883debb6991ea7e2886e05575ad6b5c5bc293dcfee2fb5eb0c00ac8fa3ef090047068a9ac2687e26e36f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\E78E3F76C38A478389988CA4F4C125CDF3D80965

MD5 2d68e5101d94bc1a94545190a6927293
SHA1 05fa54bf7f847f3e227ec6b6c9cc9663e21caebc
SHA256 09a58b57f60d36c1c2cfa0a563ddcede96c2003e47112742fc88aec262515cfb
SHA512 dfb35d01aec8711fe3137b031e12e8164ef6f466f430bcced19bde2c43285aefe0913446f507851b80aa8f3e8b6e342575053ea63963fb9b9ac9d7a4108e5696

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\9648808B6C63CD1AAD97A7B68F84F35C95682143

MD5 43e1435d4eb0933972719453cd4942f1
SHA1 5bee7c682a074587979aa1d852beefc3da62575e
SHA256 0033c93abf7465a58ddbbe1e946f74e273b1b179d0d6ae3e0b825839f56c097b
SHA512 8857e58329f9abf9b83d2e14cb33e58fc04d359416ddbe71b564036cbc74d1849a077163db5e72376a5de334402d38782b562fb64d9247a2aa77239f71f67f98

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

MD5 d03b660c08d1e3d97d4ac95573f7166e
SHA1 0446f49236afceb1345ea6dc12ae84fd793904d2
SHA256 b0715af9e152177d6273d233dd3ab5bff46e9aa25d9e8c442fd8d552fe940591
SHA512 a3047208ee4c99f5ed98ec0628e46e57ecd6e371a86c767a9d0545d3b4a9e4098f04f8bbefb8748ff4d20a51ea074a413cf92172e69cdde710336c4f6cbf614f

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\38FF788A718C79DDC3D1E23EAA975517D9BA3BB0

MD5 99d167315a03942df010eb064c51ae36
SHA1 00067968427a8ac0b7f0e87de4713f0ef94bfe45
SHA256 53b4c3d392d32e012840fa90d1092f9bd4d6abe8e144d5132d7d2c8a565c5ecb
SHA512 1e626d1fa1147a6a8e1622d47b31014a25eb8ae0026a612fef9f2fa4dbf2755792cd95869a5e2de7b793cceae649e0789270c710c7482b60d314fc210df79fcd

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

MD5 ebc623262a276ee5884ea538dc98d0a1
SHA1 9e36db6690a1da19085053730757682da401467c
SHA256 331a0fcf626d52219e0a97cd79c83e423e0325b134a696fc99c82b49b1cc1901
SHA512 2ae5da7e05bbc2cba40fcbe5f6d3385fb44935814424bcb650ca0457d962deb3a6a4c6f2e21d020544b5421e971370ac0c0aa552323404ab8d3d2fea4ccd4699

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\cache2\entries\250EE2BC03AFF526F1A1C3DB212A79DE3EB60D5E

MD5 8316df323309fe187d32c610792d0a83
SHA1 9fe0792eb7fdea3012434040725b3a908143aae5
SHA256 40b871911938ac8bab3d192892c8c5e5e4265911efecc0b005b3c6f305624106
SHA512 ec7d84b036897636997066f7c6ad01ca3b2647a78a7c5aedc6af9965084697801fe2c1a7155307d21b09f07611f8cb729dc857271e01256276414160ed48002d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json.tmp

MD5 d78f44afbaad99deea718fe7c42c2367
SHA1 f6c70e6bf06d38e3aaf4d41651d74cef989d363f
SHA256 afc121866da59521dc3038d962ff6f08f02f2b798e5dbd4a1124acb4839e51d1
SHA512 1e8b527945dab2789e205d6d714516fa775600968764de5bf5c5d39a27979edf84200e4a9a4ba9619b4a146548e94e7deabbfd09a2d0cc257743122502392252

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\activity-stream.discovery_stream.json

MD5 d1d9d229d644f201038881ffb3d2736e
SHA1 251e6dab646450ded1dcf2804fa6d32ba87caba8
SHA256 819c16770d108d85be02ef1acf0c3dcc703ee2710001651175a655c8d4aea9af
SHA512 9e0f1c10ebaa2af2c8b9144bb7e6bfa6dc29bb7fc71929643a4e3bdf9bf8535657c74a6bd8467a5fd2f08ef6c05d8cb7799aacbc43b8294d7f8594c265ae425e

C:\Users\Admin\Desktop\Old Firefox Data\g9aaxljs.default-release\crashes\store.json.mozlz4

MD5 a6338865eb252d0ef8fcf11fa9af3f0d
SHA1 cecdd4c4dcae10c2ffc8eb938121b6231de48cd3
SHA256 078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965
SHA512 d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\crashes\store.json.mozlz4

MD5 a6338865eb252d0ef8fcf11fa9af3f0d
SHA1 cecdd4c4dcae10c2ffc8eb938121b6231de48cd3
SHA256 078648c042b9b08483ce246b7f01371072541a2e90d1beb0c8009a6118cbd965
SHA512 d950227ac83f4e8246d73f9f35c19e88ce65d0ca5f1ef8ccbb02ed6efc66b1b7e683e2ba0200279d7ca4b49831fd8c3ceb0584265b10accff2611ec1ca8c0c6c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\scriptCache-child.bin

MD5 67f22f27223d6a2da3760b5cf1a92340
SHA1 70ec506cdbb71d9777baca2232c1ac27d9ea4c93
SHA256 4cdd33a28c637663c53970683497e24af6acd0f8e3c8611b65caa3cff47bacd4
SHA512 aa218e6a5d52e175abd10da7fb2fcaa59aa1313acfdde24d8732554f8c036a540af8eb3660475b3b403494185e1a509cf42b3fce492b03b76e44d313ee2460ba

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\startupCache.8.little

MD5 4f83f6c96a302beaca0b28cd463334dd
SHA1 7ffe2c2050987517134cc27417f6806cdceed9d2
SHA256 62e5a4f573e3e97d400d7fc2b1b190e5319a5299c25efaccb527458b83956645
SHA512 47e83001b5f15fb22a060f3b8641dce67856ced4393ae2c6c03f6fb38fe90c8b53608b4635fa3ac87714fdbf0c1a1774c0aa261238fa2f7bd686bf1eef048d76

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\scriptCache.bin

MD5 73a366e845038263c490ffb092e82423
SHA1 12680da9656c65914c7fa5fe4a17373b17672f8d
SHA256 1ec929e8aba4787b56907fb963eca22f3fb30e32d312fbbcc97260040a316ea4
SHA512 ecf469302ddd2d61d4b87470363b0c2e1e26df049a5a0e1d2e31ff72570da55ce87725e85aa709356ae2803eae6ac4671023c9bce384d5874f4355da2d4c0c0c

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9aaxljs.default-release\startupCache\urlCache.bin

MD5 3d60125048b9cfa0a8b3efd93926061c
SHA1 c75f03b24ce180625cc1ff90c0edb3c7be8dbe6a
SHA256 833009f721b8fb136546122525536fafa0263bff00ec606762f97d0d6c715f96
SHA512 dfeab9502ac524ec4262cf970b87942fccfe86eb8773d0498f9373268fac4e69d5ac442588f42ce51daebc1b3acf42afce1b8a5547a71e43a2d2f637aa828bde

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

MD5 5c3b3d0b5f8bdf86259ea405a76e5e8a
SHA1 686b4d30930f08246ef7604b8db9db56210eaf6e
SHA256 5e68e79aabab2cfd7206f08f6414508fbda7b3380b27dcc68ef91803e21e70ef
SHA512 9979b17f4701c876f0ef4d3d7293948a296477dd5b916239fe238000346d0f96dda9d089ecee80c2480a86daccccbeef893a18d938d0de6391818b5ebc0970ca

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\SiteSecurityServiceState.txt

MD5 0b9408c8752ef9eebc0143cb48d53166
SHA1 1a5712cb1e6385ba83e5de2bd5dd89efb855baef
SHA256 77d004e17508b882bc9aad9956d7a6f69730263f80fc25f53e53f73c481a4da4
SHA512 e0d9bafbe76adb9c2ac64cc25ad0d784fd1c415ca156a39ab5e17646efd9265921b2010c01729e838e989ae62c3ae3480cf1c0dbe1fa52658c87216072b26b65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\upgrade.jsonlz4-20221007134813

MD5 35056e82731b50e23b2c9e85f9b210aa
SHA1 1bdc6a9a56e41bd3a86d3eeaf7f5d8a97d61ea23
SHA256 719e438c7b079b97d969f780b3aeebcee87397c35d54dce3cdcdf3fc82bf1a53
SHA512 e82a5d99d447fcbd9951445f69cd9339bdf1e1311f28c1c2d26f15dc4d5882499b87f9bb136038c68dd9d27fd84fe442078f923a4c4475286ef749c32b381625

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d562fce347017aabf34e7455a0564357
SHA1 e0c551369d24ae8297ed78a0cb21e365cd275867
SHA256 ede6673cf45ef0869e682fb9db666abd3fd8590000609f2ed5cd3af6f1778c6f
SHA512 413d5eccc8578f8b00522b4e10b306f86b56f7457b61163ac410162dd6ca5970ebd451a0b731b280fcaa98af0daad0309c8be6ac5ea750f7cf459fa4c3265d5a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\sessionCheckpoints.json.tmp

MD5 948a7403e323297c6bb8a5c791b42866
SHA1 88a555717e8a4a33eccfb7d47a2a4aa31038f9c0
SHA256 2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e
SHA512 17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\search.json.mozlz4

MD5 033eb0645837c8b618a593f7b9a72642
SHA1 cf4c2e7ccaa275ee47cdd945a7bd1f8b57c61172
SHA256 3409fd08295094b37673d748a0374cf0afaecf1671188b2ed012626cad67a582
SHA512 27dd0743306b0845c06b3be3e3ae2f515777dced4bbf91a4864bb95c5873e2d6351d99be36d4762a2ba8262130c6d139db3f4f5272afb8717e02b09c1e39c2b4

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\protections.sqlite

MD5 c85d1bbdcb2505d7f5c6bd0dd2b06492
SHA1 b045492af83bf1549827343014eae43cc0a817d7
SHA256 a5cbb5daa9ea1b98935ab288b6293bd08abab25a4576a400334c68e6b781c64f
SHA512 7343830acaff4a89de4a47e71e10f9a99539d075fcfef3ca0d9e9701f6a8fbfbfb8ad342764314a01a171a1acb3b3d5eb404817d40ca5b0a2444c06e8f925f37

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\prefs.js

MD5 580aaebcc2926902dc1a82b71a1c70e5
SHA1 844e9d6832ad15e30e1f1e02b2fc1978c3955cf4
SHA256 2f8cfc1df1a4d6d9a5a338f79e811bf5e3584e5a62fec47638de62bde69cd5bd
SHA512 6a3004e1dba88f2d5cf2adda5939379bfdc94fc77557fb28ab116da1056a2982a0d2c3d9f1ad4b9a381917cf801a6edade445f2daa7771945fd30087b90a2086

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\xulstore.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\targeting.snapshot.json

MD5 c34daf237836f1858cf33a4d79bd3075
SHA1 d1f1cfd953dadc6f1d0b394114e65b313294bb7b
SHA256 390392f4714a7d898de5308b32212f69824742f2ed754a52defb83e055e3e49f
SHA512 66b6f479cd1ae291cfbe1cd6dcf46124041de425ee9ef5fe2be50ba1e900fd048ce699b3f6e5c67475e398daf3e3006a84821c925c2a7c3ec24cd37c9b0fbabe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 5e5a18eaac548ba3347e3ab67c72a38d
SHA1 a21e26197f207b4fdbbb3efb7b193ad2d98b0ca2
SHA256 4bd071dc6a47da7a12ed292bfe405a88a401c441ef562e994799c034193ac6a2
SHA512 75e262bbd65f7a17f4a017f96009730df780ba5a19bfb4495437fecd3ee18ff039916729fd505fb9a0f1fd3e29212d0ec9c3141fafda933a44af2010ecc2c7fe

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\datareporting\state.json

MD5 3e32e2cc1ed028dd8ff9b06f50a4707b
SHA1 b3910351bd8e13ad1479db699cf6fac6544a5bef
SHA256 4a3a666d98e61b5fe06fecac56807137a0fffb4bb71d4c3b16baa8702dde738c
SHA512 4585ee9ec04adf138727cd039a9cbe78db6cf2926f6ce92524312a42efd1250100848a919ec4b833f9a013181ce93734575b86eed37f1bf32effa3237eba84db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\datareporting\session-state.json

MD5 7497ea3f7ec2453adbba4af6e4eaf60a
SHA1 ceeee89795825431d1cf3db9062e8997aabefba7
SHA256 ee71adae2b451a2a0e59c9f23e4e7d3756c3116203dbfac657d9d88c6fe7cf28
SHA512 26ac018211ba6f499b313f1d3273867f224b3187f42953f054a9b637bb07b67245d6418f4da681fb39777a2c005367b2c1a008481910ab2411123afac93ff4a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9aaxljs.default-release\datareporting\glean\db\data.safe.bin

MD5 7fba44cb533472c1e260d1f28892d86b
SHA1 727dce051fc511e000053952d568f77b538107bb
SHA256 14fb5cda1708000576f35c39c15f80a0c653afaf42ed137a3d31678f94b6e8bf
SHA512 1330b0f39614a3af2a6f5e1ea558b3f5451a7af20b6f7a704784b139a0ec17a20c8d7b903424cb8020a003319a3d75794e9fe8bc0aeb39e81721b9b2fdb9e031

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\prefs.js

MD5 4975ad0a555ed22e5ad5aaaaf8100e86
SHA1 63ca75b845088fb227cc48f77ef940b3aafa479b
SHA256 191c36b735e89340fed0439669b8e6ddaaf1b531a08dd1d02245a5c648411c33
SHA512 4b529efb5a6f31b8830ee618e8858d94a1d5ed0e1452c49c578685ba7a3ff224752bb728196900a60cf10f0ed63a553a435fa597d22632af2136b1ba281c20a0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\sessionstore.jsonlz4

MD5 4fdb7f9a51ba177262d07d38c0238915
SHA1 f12c5a74467bf624164ac77ab7af517ce46ace8d
SHA256 a641f5701e0ccb2fc22a9f4323c96d899db4397fc08c63fc5de852d9aadca9d7
SHA512 fd0e72672b280e9f362cd8ba4a81c795fd741163020cd2c62a104c3f8e006883ac592951db85f364f3fece2d9af386f635b93ced301e12b4418e1e0a7fdd9c09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\profiles.ini

MD5 19379f55161819bd6c3511da08104471
SHA1 91e85210a63d53bfc57c9215a3a070a61c0dbbff
SHA256 535770987c037c0cb13fd1d2477ea5633402a0dfe44c2957d63c83919ceae4c3
SHA512 727eb8b7776e98592ec25cb33323416f62391423f58034ffb9d18e7bd31a9be58f30e1321fe753e7eccc18c08791e383e301b893951f178d42bc6dcf0dd00e26

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\extensions.json.tmp

MD5 f8448afe670d34c00541147321c3ef73
SHA1 2b6cf01c05fbd72faa06df0f2d95ebe34df9c1e0
SHA256 8ddcd30853fab6209c96197d367086d7e088a4576a8a76fc2874e5e5e7034c52
SHA512 1fca17d5dc47642d717bbefeee97a9ebd087988258dd24ec054500c2e823a30b1ca7ddaa27d2e3e752d9ded42adce361efc18e466e46e1bfa06c2a0d301f267e

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

MD5 7d1d7e1db5d8d862de24415d9ec9aca4
SHA1 f4cdc5511c299005e775dc602e611b9c67a97c78
SHA256 ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda
SHA512 1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\containers.json

MD5 94a3843fad8c45c48b0e07342df3dfdc
SHA1 d55b650208bda884d573afebd90830a3f4d7c201
SHA256 854ff2076f71097b030c302a1ea71d8e851d2920b9ff5fc8dc8f16c91ba95b72
SHA512 4d2a6b2a223ad81bb97195abb27685cf88453caf5769de154b373486d5245f02e0c0f664281d8e3bb33bfcdf1d6f7b3d9602303864d4e56481382adcb0b932db

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ansawjgd.default-release-1682852295562\sessionstore-backups\recovery.jsonlz4

MD5 3c59a0de7132364fe7302d4e5ca455d2
SHA1 d4e9c4249c1fcc015ef2a3b9bf32d74116c641ab
SHA256 45c5063174858f5a2f833aa497ba6db64099d8d32ec6290f8dae6812cfa1b05e
SHA512 7061316b3d4b94930f4a6e8f76b5f57f65f4a94e8003d8a8a842f848b1b1b72e5ea7c00a970fb610a9c0b7ceecfb46680238bc2c9bd41c08e55322f5738eb9b0

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-30 10:56

Reported

2023-04-30 10:59

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1288 set thread context of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4416 wrote to memory of 3400 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 3400 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 3400 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3400 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
PID 1288 wrote to memory of 2156 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Memory.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd" "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.pl udp
PL 185.157.81.233:443 pastebin.pl tcp
US 8.8.8.8:53 233.81.157.185.in-addr.arpa udp
US 8.8.8.8:53 67.55.52.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 95.214.24.134:1911 tcp
US 8.8.8.8:53 134.24.214.95.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.42.73.26:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YTOSB.vbs

MD5 cf0d0c9a3f216b899b91781a093e829e
SHA1 606998c5c842f4d86e72819e92ef485a1f24bf2a
SHA256 a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75
SHA512 bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5

C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd

MD5 0c4f14db483f17cc1842aa6d7762fe00
SHA1 582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256 c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512 d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950

C:\Users\Admin\AppData\Roaming\WindowsServices\EHKOZ.cmd

MD5 0c4f14db483f17cc1842aa6d7762fe00
SHA1 582e6d58bee7b124cd6b0b4d9514f73ce68d374c
SHA256 c3aa7a1a4b7ff07c05c5c630853c1b9ce4110481a4300a05536e501f198fb4f4
SHA512 d5136d78b29667cfd3a6e2c050ebf95509e7acf032a192bc7eca8510f7c3d4b1e98aea1bb34cbe2d2cd54da87ee57dd2b93c4da27bf3ea30b5b32f5fe20f2950

memory/1288-158-0x0000028E4CC10000-0x0000028E4CC32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v1yxqcqq.gee.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\WindowsServices\FWVCX.ps1

MD5 5136fb951b17f99d700ee1816764f255
SHA1 1ffa5721e100a286752da77bd203ac9d76573eec
SHA256 4c300f1601a8baa0a9bedf7048f960425ad7e1fe899b0ebded0f5628acdd0743
SHA512 29cacc82c91c194a8ca3df15aad8983d57c4bf563b9aec5b74cca0c99c8b42b49ff8ff182c42313ad7aee8d2fe3c2a6819dbcb0bef43eaaa01af53519b986566

memory/1288-169-0x0000028E66380000-0x0000028E66390000-memory.dmp

memory/1288-170-0x0000028E66380000-0x0000028E66390000-memory.dmp

memory/2156-173-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe

MD5 9d352bc46709f0cb5ec974633a0c3c94
SHA1 1969771b2f022f9a86d77ac4d4d239becdf08d07
SHA256 2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390
SHA512 13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

memory/2156-178-0x0000000005640000-0x0000000005650000-memory.dmp

memory/2156-179-0x0000000005970000-0x0000000005A0C000-memory.dmp

memory/2156-180-0x0000000005FC0000-0x0000000006564000-memory.dmp

memory/2156-181-0x0000000005A80000-0x0000000005AE6000-memory.dmp

memory/2156-182-0x0000000005640000-0x0000000005650000-memory.dmp

memory/4444-183-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-184-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-185-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-190-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-195-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-194-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-193-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-192-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-191-0x00000231926D0000-0x00000231926D1000-memory.dmp

memory/4444-189-0x00000231926D0000-0x00000231926D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsServices.lnk

MD5 9a9f52c0ba093377d4a76bfc00589330
SHA1 aece433ae7c1017b1ec63dc8001d250ae3c50946
SHA256 bec35cc343049f713992713fc2129c11170d68113e797be34f362855e4e96e3d
SHA512 46c7ed3e501b285a9719d82c7936b75157560b862f0e7863facbd78316d2650e9723435cdfa342705166b02d7b51f89347c5d06aa2ccf071cc0ef0382912a86f

C:\Users\Admin\Start Menu\Programs\Startup\YTOSB.vbs

MD5 cf0d0c9a3f216b899b91781a093e829e
SHA1 606998c5c842f4d86e72819e92ef485a1f24bf2a
SHA256 a12cc767ab92fa1379c213ebc9a637bfbc0c316e654850789a19abc17eb65a75
SHA512 bd3af39529ea646026716b4d6ed343f98b989beeb0f025e90be54b55050b38744aa9c6a04b061394c3ef2abfce797b943e83ac5a8386888319c03e380f3839f5